lord” offered for sale 655,000 stolen health records, complete with
victims’ Social Security numbers, names, addresses, birth dates,
medical diagnoses, family history, surgical history, vital statistics,
and more. 15, 16 Three US-based healthcare organizations were targeted to acquire this data by exploiting software vulnerabilities on
computers connected to the Internet. The asking price for these
stolen records was $716,000 in US dollars and the payment method specified was Bitcoin. This offer was openly advertised on the
website DeepDot Web.com, with screenshots of data to demonstrate possession of the records. Using an unpublished vulnerability in remote desktop software, the hacker located and copied
the electronic health records (EHRs) from the three healthcare
organizations. Two days later, the same hacker offered for sale 9. 3
million healthcare records stolen from an insurance database.

According to Clearwater Compliance, a cybersecurity vendor,
the market pricing for medical records on the Dark Web in 2016
was $60 per complete medical record, much more than stolen
financial information. 17 Cybersecurity professionals believe that
creation of this type of criminal market for patient medical records will continue to expand.

The Dark Web marketplace for stolen medical records adds
another level of complexity to the cybersecurity threats facing
healthcare organizations. Healthcare is especially susceptible
to cyberattack because employees deal directly with the public
and because some healthcare organizations are lagging behind
with implementing stringent cybersecurity measures. 18 The
Dark Web provides a marketplace for those with the intention to
sell illegal materials, and HIM professionals need to understand
that criminals create markets to sell information contained in
healthcare records. HIM professionals have a responsibility to
protect the identities and data of patients. Dark Webactivities
should continue to motivate HIM professionals to maintain
high information privacy and security standards in their organizations. For example, HIM professionals should work with cybersecurity experts to ensure software patches are current, risk
assessments are performed routinely, and any vulnerabilities
are addressed swiftly and effectively.

What to Know about Ransomware

While stealing medical records and selling them to criminals islucrative, another growing scheme is holding electronic healthrecords hostage and selling access to the records back to theirlegitimate custodian. Known as ransomware, this form of cy-bercrime is enabled by the anonymity of the Dark Web. Ran-somware attacks are often carried out via phishing e-mailsoriginating from automated Dark Web sources. E-mails that ap-pear legitimate entice users to click on a link or an image thatsecretly installs malicious software on their computer. The mali-cious software encrypts data using secret keys known only bythe hackers, rendering the data unavailable. A window will thenappear on the affected computer demanding payment, often inBitcoin, to regain access to the data which has been held at ran-som. Ransomware attacks on healthcare organizations put livesas well as reputations in jeopardy. The Department of Healthand Human Services’ (HHS) Office for Civil Rights (OCR) pro-vided clear guidance in July 2016 that having ransomware orany malicious software on a computer of a covered entity or abusiness associate is a security incident according to the HIPAASecurity Rule. 19 Having healthcare information unavailable foreven a few hours could harm both patients and the healthcareorganization. 20 Ransomware is on the rise and specifically tar-gets healthcare workers due to the high financial impact andperceived weakness of security and training across the health-care industry. 21 HIM professionals are especially at risk of beingtargeted due to having extensive access to PHI.

Ransomware incidents vary from simple scareware, to mal-ware removable by virus scanners, to complex variants that
are extremely difficult to resolve. Scareware involves a threat
to encrypt data or a false claim to have already done so. HIM
professionals should work with their information technology
professionals to provide training to users concerning backups
and proper e-mail use to avoid ransomware problems. Also, users should be provided policies and procedures on how to react
to ransomware.

Risks to Medical Devices

The reach of cyberthreats began to extend into the physical world
in June 2010 with the emergence of the Stuxnet computer worm.
Prior to Stuxnet, the cyber world was generally considered separate from the physical world. Stuxnet forever bridged cyberspace
and the physical world by demonstrating that malicious software
can cause physical harm. Designed to replicate itself onto every
Microsoft Windows computer it encounters on a network, Stuxnet also can infect isolated computers via USB memory sticks,
meaning that computers on networks not connected to the Internet can be compromised. When the original Stuxnet found its
target systems, it reconfigured the operating parameters of mechanical equipment causing physical damage and destruction. 22
The cyber and physical worlds are no longer separate.

Computers are embedded in and control today’s implanted
and wearable medical devices. For example, insulin pumps and
cardioverter defibrillators are controlled by software, and therefore are vulnerable to attack. 23 In 2011, a security researcher
demonstrated his ability to hack an insulin pump via a wireless
network and alter the insulin dosage to levels that could be lethal. 24 A real-world breach occurred targeting laboratory systems
at a hospital, demonstrating the potential to alter or corrupt lab
results. 25 Implanted medical devices commonly use wireless
communication for configuration information. An attacker with
knowledge of how devices communicate could accelerate the
battery drain forcing surgical replacement, or worse. 26 These examples are provided to show how cybercriminals and their tools
lurking on the Dark Web have a direct impact on patients and
healthcare professionals.

Over the last 50 years there has been an increase in the use
of computers in medical devices, such as cardiac defibrillators,
cardiac pacemakers, and insulin pumps. And with the growth
of wireless technology, the use of these devices is expected to
expand in the coming years. 27 The benefits and conveniences
associated with medical devices also comes with risks of hackers accessing these systems to steal patient information or cause
harm to patients. As risks continue to evolve, more concerted